finishing touches to cert generation

git-svn-id: svn://svn.code.sf.net/p/axtls/code/trunk@144 9a5d90b5-6617-0410-8a86-bb477d3ed2e3
2025-04-21 10:26:06 +03:00 · 2007-12-02 08:01:12 +00:00 · 2007-12-02 08:01:12 +00:00 · 785380660e
commit 785380660e
parent bffc3b2197
22 changed files with 348 additions and 306 deletions
--- a/1
+++ b/1
@ -82,6 +82,7 @@ docs:
 # build the Win32 demo release version
 win32_demo:
 	@echo "#define AXTLS_VERSION    \"$(VERSION)\"" > ssl/version.h
 	$(MAKE) win32releaseconf
 install: $(PREFIX) all
--- a/config/axhttpd.aip
+++ b/config/axhttpd.aip
@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
-<DOCUMENT type="Advanced Installer" CreateVersion="3.9" version="5.2.2" modules="freeware" RootPath="." Language="en">
+<DOCUMENT type="Advanced Installer" CreateVersion="3.9" version="6.0.1" modules="freeware" RootPath="." Language="en">
  <COMPONENT cid="caphyon.advinst.msicomp.MsiPropsComponent">
    <ROW Property="ALLUSERS" Value="2"/>
    <ROW Property="ARPCOMMENTS" Value="This installer database contains the logic and data required to install &lt;product name&gt;." ValueLocId="*"/>
@ -8,10 +8,10 @@
    <ROW Property="BannerBitmap" Value="default_banner.bmp" Type="1"/>
    <ROW Property="DialogBitmap" Value="default_dialog.bmp" Type="1"/>
    <ROW Property="Manufacturer" Value="axTLS" ValueLocId="*"/>
-    <ROW Property="ProductCode" Value="1033:{E8FE72D8-1458-4F35-9759-EEBE44D96732} "/>
+    <ROW Property="ProductCode" Value="1033:{F49FFA19-C243-4627-BE13-7DEDA4E700D0} "/>
    <ROW Property="ProductLanguage" Value="1033"/>
    <ROW Property="ProductName" Value="Axhttpd" ValueLocId="*"/>
-    <ROW Property="ProductVersion" Value="1.1.7"/>
+    <ROW Property="ProductVersion" Value="1.1.8"/>
    <ROW Property="SecureCustomProperties" Value="OLDPRODUCTS;AI_NEWERPRODUCTFOUND"/>
    <ROW Property="UpgradeCode" Value="{93E5623E-740C-449C-9770-EDABD392868D}"/>
  </COMPONENT>
@ -51,8 +51,8 @@
    <ROW File="axtls.dll" Component_="axtls.dll" FileName="axtls.dll" Attributes="0" SourcePath="..\_stage\axtls.dll" SelfReg="false" Sequence="3"/>
    <ROW File="axtls.lib" Component_="axtls.jar" FileName="axtls.lib" Attributes="0" SourcePath="..\_stage\axtls.lib" SelfReg="false" Sequence="4"/>
    <ROW File="axtls.static.lib" Component_="axtls.jar" FileName="axtlss~1.lib|axtls.static.lib" Attributes="0" SourcePath="..\_stage\axtls.static.lib" SelfReg="false" Sequence="5"/>
-    <ROW File="bigint.h" Component_="bigint.h" FileName="bigint.h" Attributes="0" SourcePath="..\ssl\bigint.h" SelfReg="false" Sequence="12"/>
+    <ROW File="bigint.h" Component_="bigint.h" FileName="bigint.h" Attributes="0" SourcePath="..\crypto\bigint.h" SelfReg="false" Sequence="12"/>
-    <ROW File="bigint_impl.h" Component_="bigint.h" FileName="bigint~1.h|bigint_impl.h" Attributes="0" SourcePath="..\ssl\bigint_impl.h" SelfReg="false" Sequence="9"/>
+    <ROW File="bigint_impl.h" Component_="bigint.h" FileName="bigint~1.h|bigint_impl.h" Attributes="0" SourcePath="..\crypto\bigint_impl.h" SelfReg="false" Sequence="9"/>
    <ROW File="crypto.h" Component_="bigint.h" FileName="crypto.h" Attributes="0" SourcePath="..\crypto\crypto.h" SelfReg="false" Sequence="10"/>
    <ROW File="crypto_misc.h" Component_="bigint.h" FileName="crypto~1.h|crypto_misc.h" Attributes="0" SourcePath="..\ssl\crypto_misc.h" SelfReg="false" Sequence="21"/>
    <ROW File="favicon.ico" Component_="favicon.ico" FileName="favicon.ico" Attributes="0" SourcePath="..\www\favicon.ico" SelfReg="false" Sequence="6"/>
@ -69,7 +69,7 @@
    <ROW File="tls1.h" Component_="bigint.h" FileName="tls1.h" Attributes="0" SourcePath="..\ssl\tls1.h" SelfReg="false" Sequence="11"/>
  </COMPONENT>
  <COMPONENT cid="caphyon.advinst.msicomp.BuildComponent">
-    <ROW BuildName="DefaultBuild" BuildOrder="1" BuildType="0" InstallationType="4"/>
+    <ROW BuildKey="DefaultBuild" BuildName="DefaultBuild" BuildOrder="1" BuildType="0" InstallationType="4"/>
    <ATTRIBUTE name="CurrentBuild" value="DefaultBuild"/>
  </COMPONENT>
  <COMPONENT cid="caphyon.advinst.msicomp.DictionaryComponent">
@ -105,15 +105,15 @@
  </COMPONENT>
  <COMPONENT cid="caphyon.advinst.msicomp.MsiCustActComponent">
    <ROW Action="AI_DOWNGRADE" Type="19" Target="4010"/>
-    <ROW Action="AI_PREPARE_UPGRADE" Type="1" Source="aicustact.dll" Target="PrepareUpgrade"/>
+    <ROW Action="AI_PREPARE_UPGRADE" Type="65" Source="aicustact.dll" Target="PrepareUpgrade"/>
-    <ROW Action="AI_RESTORE_LOCATION" Type="1" Source="aicustact.dll" Target="RestoreLocation"/>
+    <ROW Action="AI_RESTORE_LOCATION" Type="65" Source="aicustact.dll" Target="RestoreLocation"/>
    <ROW Action="AI_STORE_LOCATION" Type="51" Source="ARPINSTALLLOCATION" Target="[APPDIR]"/>
    <ROW Action="SET_APPDIR" Type="307" Source="APPDIR" Target="[ProgramFilesFolder][Manufacturer]\[ProductName]" MultiBuildTarget="DefaultBuild:[ProgramFilesFolder][ProductName]"/>
    <ROW Action="SET_SHORTCUTDIR" Type="307" Source="SHORTCUTDIR" Target="[ProgramMenuFolder][ProductName]"/>
    <ROW Action="SET_TARGETDIR_TO_APPDIR" Type="51" Source="TARGETDIR" Target="[APPDIR]"/>
  </COMPONENT>
  <COMPONENT cid="caphyon.advinst.msicomp.MsiIconsComponent">
-    <ROW Name="controlPanelIcon.exe" SourcePath="..\www\favicon.ico" Index="0"/>
+    <ROW Name="controlPanelIcon.exe" SourcePath="..\..\axhttpd\www\favicon.ico" Index="0"/>
  </COMPONENT>
  <COMPONENT cid="caphyon.advinst.msicomp.MsiInstExSeqComponent">
    <ROW Action="AI_DOWNGRADE" Condition="AI_NEWERPRODUCTFOUND AND (UILevel &lt;&gt; 5)" Sequence="210"/>
--- a/config/linuxconfig
+++ b/config/linuxconfig
@ -12,6 +12,7 @@ CONFIG_PLATFORM_LINUX=y
 #
 PREFIX="/usr/local"
 # CONFIG_DEBUG is not set
 CONFIG_STRIP_UNWANTED_SECTIONS=y
 # CONFIG_VISUAL_STUDIO_7_0 is not set
 # CONFIG_VISUAL_STUDIO_8_0 is not set
 CONFIG_VISUAL_STUDIO_7_0_BASE=""
@ -31,6 +32,13 @@ CONFIG_SSL_FULL_MODE=y
 CONFIG_SSL_PROT_MEDIUM=y
 # CONFIG_SSL_PROT_HIGH is not set
 CONFIG_SSL_USE_DEFAULT_KEY=y
 CONFIG_SSL_PRIVATE_KEY_LOCATION=""
 CONFIG_SSL_PRIVATE_KEY_PASSWORD=""
 CONFIG_SSL_X509_CERT_LOCATION=""
 CONFIG_SSL_GENERATE_X509_CERT=y
 CONFIG_SSL_X509_COMMON_NAME=""
 CONFIG_SSL_X509_ORGANIZATION_NAME=""
 CONFIG_SSL_X509_ORGANIZATION_UNIT_NAME=""
 CONFIG_SSL_ENABLE_V23_HANDSHAKE=y
 CONFIG_SSL_HAS_PEM=y
 CONFIG_SSL_USE_PKCS12=y
@ -62,6 +70,7 @@ CONFIG_HTTP_HAS_CGI=y
 CONFIG_HTTP_CGI_EXTENSIONS=".lua,.lp"
 CONFIG_HTTP_ENABLE_LUA=y
 CONFIG_HTTP_LUA_PREFIX="/usr/local"
 CONFIG_HTTP_LUA_CGI_LAUNCHER="/bin/cgi"
 # CONFIG_HTTP_BUILD_LUA is not set
 CONFIG_HTTP_DIRECTORIES=y
 CONFIG_HTTP_HAS_AUTHORIZATION=y
--- a/config/win32config
+++ b/config/win32config
@ -36,6 +36,13 @@ CONFIG_SSL_FULL_MODE=y
 CONFIG_SSL_PROT_MEDIUM=y
 # CONFIG_SSL_PROT_HIGH is not set
 CONFIG_SSL_USE_DEFAULT_KEY=y
 CONFIG_SSL_PRIVATE_KEY_LOCATION=""
 CONFIG_SSL_PRIVATE_KEY_PASSWORD=""
 CONFIG_SSL_X509_CERT_LOCATION=""
 CONFIG_SSL_GENERATE_X509_CERT=y
 CONFIG_SSL_X509_COMMON_NAME=""
 CONFIG_SSL_X509_ORGANIZATION_NAME=""
 CONFIG_SSL_X509_ORGANIZATION_UNIT_NAME=""
 CONFIG_SSL_ENABLE_V23_HANDSHAKE=y
 CONFIG_SSL_HAS_PEM=y
 CONFIG_SSL_USE_PKCS12=y
@ -59,10 +66,6 @@ CONFIG_HTTP_HTTPS_PORT=443
 CONFIG_HTTP_SESSION_CACHE_SIZE=5
 CONFIG_HTTP_WEBROOT="www"
 CONFIG_HTTP_TIMEOUT=300
 #
 # CGI
 #
 # CONFIG_HTTP_HAS_CGI is not set
 CONFIG_HTTP_CGI_EXTENSIONS=""
 # CONFIG_HTTP_ENABLE_LUA is not set
--- a/crypto/crypto.h
+++ b/crypto/crypto.h
@ -198,7 +198,7 @@ void RSA_free(RSA_CTX *ctx);
 int RSA_decrypt(const RSA_CTX *ctx, const uint8_t *in_data, uint8_t *out_data,
        int is_decryption);
 bigint *RSA_private(const RSA_CTX *c, bigint *bi_msg);
-#ifdef CONFIG_SSL_CERT_VERIFICATION
+#if defined(CONFIG_SSL_CERT_VERIFICATION) || defined(CONFIG_SSL_GENERATE_X509_CERT)
 bigint *RSA_sign_verify(BI_CTX *ctx, const uint8_t *sig, int sig_len,
        bigint *modulus, bigint *pub_exp);
 bigint *RSA_public(const RSA_CTX * c, bigint *bi_msg);
--- a/httpd/axhttp.h
+++ b/httpd/axhttp.h
@ -28,7 +28,6 @@
 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
 #include "os_port.h"
 #include "ssl.h"
 #define BACKLOG 15
--- a/ssl/Config.in
+++ b/ssl/Config.in
@ -144,7 +144,7 @@ config CONFIG_SSL_PRIVATE_KEY_PASSWORD
 config CONFIG_SSL_X509_CERT_LOCATION
    string "X.509 certificate file location"
-    depends on !CONFIG_SSL_GENERATE_X509_CERT && !CONFIG_SSL_SKELETON_MODE
+    depends on !CONFIG_SSL_GENERATE_X509_CERT && !CONFIG_SSL_USE_DEFAULT_KEY && !CONFIG_SSL_SKELETON_MODE
    help
        The file location of the X.509 certificate which will be automatically
        loaded on a ssl_ctx_new().
@ -156,10 +156,13 @@ config CONFIG_SSL_GENERATE_X509_CERT
        An X.509 certificate can be automatically generated on a
        ssl_ctx_new(). A private key still needs to be provided (the private
        key in ss/private_key.h will be used unless 
-        CONFIG_SSL_PRIVATE_KEY_LOCATION is set.
+        CONFIG_SSL_PRIVATE_KEY_LOCATION is set).
        The certificate is generated on the fly, and so a minor start-up time
-        penalty is to be expected.
+        penalty is to be expected. This feature adds around 5kB to the
        library.
        This feature is disabled by default.
 config CONFIG_SSL_X509_COMMON_NAME
    string "X.509 Common Name"
@ -168,7 +171,7 @@ config CONFIG_SSL_X509_COMMON_NAME
        The common name for the X.509 certificate. This should in theory be
        the URL for server.
-        If this is blank, then the hostname is used.
+        If this is blank, then this will be value from gethostname().
 config CONFIG_SSL_X509_ORGANIZATION_NAME
    string "X.509 Organization Name"
@ -176,14 +179,15 @@ config CONFIG_SSL_X509_ORGANIZATION_NAME
    help
        The organization name for the generated X.509 certificate. 
-        If this is blank, then $USERNAME will be used.
+        If this is blank, then $USERDOMAIN will be used.
 config CONFIG_SSL_X509_ORGANIZATION_UNIT_NAME
    string "X.509 Organization Unit Name"
    depends on CONFIG_SSL_GENERATE_X509_CERT
    help
-        The organization unit name for the generated X.509 certificate. This
+        The organization unit name for the generated X.509 certificate. 
-        field is optional.
+
        This field is optional.
 config CONFIG_SSL_ENABLE_V23_HANDSHAKE
    bool "Enable v23 Handshake"
@ -322,7 +326,7 @@ config CONFIG_PERFORMANCE_TESTING
 config CONFIG_SSL_TEST
    bool "Build the SSL testing tool"
    default n
-    depends on CONFIG_SSL_FULL_MODE
+    depends on CONFIG_SSL_FULL_MODE && !CONFIG_SSL_GENERATE_X509_CERT 
    help
        Used for sanity checking the SSL handshaking.
--- a/ssl/asn1.c
+++ b/ssl/asn1.c
@ -112,7 +112,7 @@ int asn1_get_int(const uint8_t *buf, int *offset, uint8_t **object)
    if ((len = asn1_next_obj(buf, offset, ASN1_INTEGER)) < 0)
        goto end_int_array;
-    if (buf[*offset] == 0x00)    /* ignore the negative byte */
+    if (len > 1 && buf[*offset] == 0x00)    /* ignore the negative byte */
    {
        len--;
        (*offset)++;
--- a/ssl/gen_cert.c
+++ b/ssl/gen_cert.c
@ -195,14 +195,14 @@ static int gen_issuer(const char * dn[], uint8_t *buf, int *offset)
        goto error;
    if (dn[X509_ORGANIZATION] == NULL || strlen(dn[X509_ORGANIZATION]) == 0)
-        dn[X509_ORGANIZATION] = getenv("USERNAME");
+        dn[X509_ORGANIZATION] = getenv("USERDOMAIN");
    if (dn[X509_ORGANIZATION] != NULL && 
            ((ret = gen_dn(dn[X509_ORGANIZATION], 10, buf, offset))))
        goto error;
    if (dn[X509_ORGANIZATIONAL_TYPE] != NULL &&
-                                strlen(dn[X509_ORGANIZATIONAL_TYPE]) != 0)
+                                strlen(dn[X509_ORGANIZATIONAL_TYPE]) > 0)
    {
        if ((ret = gen_dn(dn[X509_ORGANIZATIONAL_TYPE], 11, buf, offset)))
            goto error;
@ -219,8 +219,8 @@ static const uint8_t time_seq[] =
    ASN1_SEQUENCE, 30, 
    ASN1_UTC_TIME, 13, 
    '0', '7', '0', '1', '0', '1', '0', '0', '0', '0', '0', '0', 'Z', 
-    ASN1_UTC_TIME, 13,  /* make it good for 40 or so years */
+    ASN1_UTC_TIME, 13,  /* make it good for 30 or so years */
-    '4', '9', '0', '1', '0', '1', '0', '0', '0', '0', '0', '0', 'Z'
+    '3', '8', '0', '1', '0', '1', '0', '0', '0', '0', '0', '0', 'Z'
 };
 static void gen_utc_time(uint8_t *buf, int *offset)
@ -342,7 +342,7 @@ error:
 /**
 * Create a new certificate.
 */
-EXP_FUNC int STDCALL ssl_x509_create(SSL_CTX *ssl_ctx, const char * dn[], uint32_t options, uint8_t **cert_data)
+EXP_FUNC int STDCALL ssl_x509_create(SSL_CTX *ssl_ctx, uint32_t options, const char * dn[], uint8_t **cert_data)
 {
    int ret = X509_OK, offset = 0, seq_offset;
    /* allocate enough space to load a new certificate */
--- a/ssl/loader.c
+++ b/ssl/loader.c
@ -395,6 +395,16 @@ int load_key_certs(SSL_CTX *ssl_ctx)
 {
    int ret = SSL_OK;
    uint32_t options = ssl_ctx->options;
 #ifdef CONFIG_SSL_GENERATE_X509_CERT 
    uint8_t *cert_data = NULL;
    int cert_size;
    static const char *dn[] = 
    {
        CONFIG_SSL_X509_COMMON_NAME,
        CONFIG_SSL_X509_ORGANIZATION_NAME,
        CONFIG_SSL_X509_ORGANIZATION_UNIT_NAME
    };
 #endif
    /* do the private key first */
    if (strlen(CONFIG_SSL_PRIVATE_KEY_LOCATION) > 0)
@ -417,16 +427,7 @@ int load_key_certs(SSL_CTX *ssl_ctx)
    /* now load the certificate */
 #ifdef CONFIG_SSL_GENERATE_X509_CERT 
-    uint8_t *cert_data;
+    if ((cert_size = ssl_x509_create(ssl_ctx, 0, dn, &cert_data)) < 0)
    int cert_size;
    static const char *dn[] = 
    {
        CONFIG_SSL_X509_COMMON_NAME,
        CONFIG_SSL_X509_ORGANIZATION_NAME,
        CONFIG_SSL_X509_ORGANIZATION_UNIT_NAME
    };
    if ((cert_size = ssl_x509_create(ssl_ctx, dn, &cert_data)) < 0)
    {
        ret = cert_size;
        goto error;
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@ -439,9 +439,10 @@ EXP_FUNC int STDCALL ssl_obj_memory_load(SSL_CTX *ssl_ctx, int obj_type, const u
 * @brief Create an X.509 certificate. 
 * 
 * This certificate is a self-signed v1 cert with a fixed start/stop validity 
- * times. It is also signed with the private key in ssl_ctx->rsa_ctx.
+ * times. It is signed with an internal private key in ssl_ctx.
 *
 * @param ssl_ctx [in] The client/server context.
 * @param options [in] Not used yet.
 * @param dn [in] An array of distinguished name strings. The array is defined
 * by:
 * - SSL_X509_CERT_COMMON_NAME (0)
@ -452,12 +453,11 @@ EXP_FUNC int STDCALL ssl_obj_memory_load(SSL_CTX *ssl_ctx, int obj_type, const u
 *        will be used.
 * - SSL_X509_CERT_ORGANIZATIONAL_NAME (2)
 *      - SSL_X509_CERT_ORGANIZATIONAL_NAME is optional.
 * @param options [in] Not used yet.
 * @param cert_data [out] The certificate as a sequence of bytes.
 * @return < 0 if an error, or the size of the certificate in bytes.
 * @note cert_data must be freed when there is no more need for it.
 */
-EXP_FUNC int STDCALL ssl_x509_create(SSL_CTX *ssl_ctx, const char * dn[], uint32_t options, uint8_t **cert_data);
+EXP_FUNC int STDCALL ssl_x509_create(SSL_CTX *ssl_ctx, uint32_t options, const char * dn[], uint8_t **cert_data);
 #endif
 /**
--- a/ssl/test/Makefile
+++ b/ssl/test/Makefile
@ -75,11 +75,12 @@ CRYPTO_OBJ=\
 OBJ=\
 	$(AXTLS_SSL_PATH)asn1.obj \
-	$(AXTLS_SSL_PATH)x509.obj \
+	$(AXTLS_SSL_PATH)gen_cert.obj \
 	$(AXTLS_SSL_PATH)os_port.obj \
 	$(AXTLS_SSL_PATH)loader.obj \
 	$(AXTLS_SSL_PATH)openssl.obj \
 	$(AXTLS_SSL_PATH)os_port.obj \
 	$(AXTLS_SSL_PATH)p12.obj \
 	$(AXTLS_SSL_PATH)x509.obj \
 	$(AXTLS_SSL_PATH)tls1.obj \
 	$(AXTLS_SSL_PATH)tls1_svr.obj \
 	$(AXTLS_SSL_PATH)tls1_clnt.obj
--- a/ssl/test/ssltest.c
+++ b/ssl/test/ssltest.c
@ -58,7 +58,6 @@
 static int g_port = 19001;
 #if 0
 /**************************************************************************
 * AES tests 
 * 
@ -647,7 +646,6 @@ bad_cert:
        printf("Error: A certificate test failed\n");
    return res;
 }
 #endif
 /**
 * init a server socket.
@ -781,6 +779,11 @@ static int SSL_server_test(
    if ((server_fd = server_socket_init(&g_port)) < 0)
        goto error;
    if (private_key)
    {
        axolotls_option |= SSL_NO_DEFAULT_KEY;
    }
    if ((ssl_ctx = ssl_ctx_new(axolotls_option, SSL_DEFAULT_SVR_SESS)) == NULL)
    {
        ret = SSL_ERROR_INVALID_KEY;
@ -881,7 +884,6 @@ static int SSL_server_test(
 error:
    ssl_ctx_free(ssl_ctx);
 printf("RES %d\n", ret); TTY_FLUSH();
    return ret;
 }
@ -1126,9 +1128,14 @@ int SSL_server_tests(void)
 cleanup:
    if (ret)
    {
-        printf("Error: A server test failed\n"); TTY_FLUSH();
+        printf("Error: A server test failed\n");
        ssl_display_error(ret);
        exit(1);
    }
    else
    {
        printf("All server tests passed\n"); TTY_FLUSH();
    }
    return ret;
 }
@ -1203,6 +1210,11 @@ static int SSL_client_test(
    if (*ssl_ctx == NULL)
    {
        if (private_key)
        {
            client_options |= SSL_NO_DEFAULT_KEY;
        }
        if ((*ssl_ctx = ssl_ctx_new(
                            client_options, SSL_DEFAULT_CLNT_SESS)) == NULL)
        {
@ -1402,7 +1414,7 @@ int SSL_client_tests(void)
                    &ssl_ctx,
                    "-cert ../ssl/test/axTLS.x509_device.pem "
                    "-key ../ssl/test/axTLS.device_key.pem "
-                    "-CAfile ../ssl/test/axTLS.x509_512.pem", NULL,
+                    "-CAfile ../ssl/test/axTLS.x509_512.pem ", NULL,
                    DEFAULT_CLNT_OPTION, NULL, NULL, NULL)))
        goto cleanup;
@ -1414,7 +1426,8 @@ int SSL_client_tests(void)
                    "-CAfile ../ssl/test/axTLS.ca_x509.pem "
                    "-verify 1 ", NULL, DEFAULT_CLNT_OPTION, 
                    "../ssl/test/axTLS.key_1024", NULL,
-                    "../ssl/test/axTLS.x509_1024.cer")))
+                    "../ssl/test/axTLS.x509_1024.cer")) 
                        != SSL_X509_ERROR(X509_VFY_ERROR_SELF_SIGNED))
        goto cleanup;
    /* Should get an "ERROR" from openssl (as the handshake fails as soon as
@ -1451,7 +1464,15 @@ int SSL_client_tests(void)
 cleanup:
    if (ret)
    {
        ssl_display_error(ret);
        printf("Error: A client test failed\n");
        exit(1);
    }
    else
    {
        printf("All client tests passed\n"); TTY_FLUSH();
    }
    return ret;
 }
@ -1460,7 +1481,6 @@ cleanup:
 * SSL Basic Testing (test a big packet handshake)
 *
 **************************************************************************/
 #if 0
 static uint8_t basic_buf[256*1024];
 static void do_basic(void)
@ -1483,6 +1503,7 @@ static void do_basic(void)
    /* check the return status */
    if (ssl_handshake_status(ssl_clnt) < 0)
    {
        printf("YA YA\n");
        ssl_display_error(ssl_handshake_status(ssl_clnt));
        goto error;
    }
@ -1571,7 +1592,6 @@ error:
    ssl_ctx_free(ssl_svr_ctx);
    return ret;
 }
 #endif
 #if !defined(WIN32) && defined(CONFIG_SSL_CTX_MUTEXING)
 /**************************************************************************
@ -1725,7 +1745,7 @@ error:
    SOCKET_CLOSE(server_fd);
    return res;
 }
-#endif
+#endif /* !defined(WIN32) && defined(CONFIG_SSL_CTX_MUTEXING) */ 
 /**************************************************************************
 * Header issue
@ -1792,7 +1812,7 @@ error:
 int main(int argc, char *argv[])
 {
    int ret = 1;
-    //BI_CTX *bi_ctx;
+    BI_CTX *bi_ctx;
    int fd;
 #ifdef WIN32
@ -1807,7 +1827,12 @@ int main(int argc, char *argv[])
    dup2(fd, 2);
 #endif
-#if 0
+    /* can't do testing in this mode */
 #if defined CONFIG_SSL_GENERATE_X509_CERT
    printf("Error: Must compile with default key/certificates\n");
    exit(1);
 #endif
    bi_ctx = bi_initialize();
    if (AES_test(bi_ctx))
@ -1882,7 +1907,6 @@ int main(int argc, char *argv[])
        goto cleanup;
    system("sh ../ssl/test/killopenssl.sh");
 #endif
    if (SSL_server_tests())
        goto cleanup;
@ -1891,7 +1915,7 @@ int main(int argc, char *argv[])
    if (header_issue())
    {
-        printf("Header tests failed\n");
+        printf("Header tests failed\n"); TTY_FLUSH();
        goto cleanup;
    }
--- a/ssl/tls1.c
+++ b/ssl/tls1.c
@ -414,7 +414,7 @@ int add_cert_auth(SSL_CTX *ssl_ctx, const uint8_t *buf, int len)
        x509_free(cert);        /* get rid of it */
        ca_cert_ctx->cert[i] = NULL;
 #ifdef CONFIG_SSL_FULL_MODE
-        printf("Error: %s\n", x509_display_error(ret));
+        printf("Error: %s\n", x509_display_error(ret)); TTY_FLUSH();
 #endif
        goto error;
    }
@ -1477,7 +1477,6 @@ int send_certificate(SSL *ssl)
    while (i < ssl->ssl_ctx->chain_length)
    {
        X509_CTX *cert_ctx;
        SSL_CERT *cert = &ssl->ssl_ctx->certs[i];
        buf[offset++] = 0;        
        buf[offset++] = cert->size >> 8;        /* cert 1 length */
@ -1485,10 +1484,6 @@ int send_certificate(SSL *ssl)
        memcpy(&buf[offset], cert->buf, cert->size);
        offset += cert->size;
        i++;
        // TODO: get rid of these
        x509_new(cert->buf, &cert->size, &cert_ctx);
        x509_print(cert_ctx, NULL);
        x509_free(cert_ctx);
    }
    chain_length = offset - 7;
--- a/ssl/tls1.h
+++ b/ssl/tls1.h
@ -42,6 +42,7 @@ extern "C" {
 #include "version.h"
 #include "crypto.h"
 #include "os_port.h"
 #include "crypto_misc.h"
 #define SSL_RANDOM_SIZE             32
@ -261,8 +262,8 @@ void DISPLAY_RSA(SSL *ssl,  const RSA_CTX *rsa_ctx);
 void DISPLAY_ALERT(SSL *ssl, int alert);
 #else
 #define DISPLAY_STATE(A,B,C,D)
-#define DISPLAY_CERT(A,B,C)
+#define DISPLAY_CERT(A,B)
-#define DISPLAY_RSA(A,B,C)
+#define DISPLAY_RSA(A,B)
 #define DISPLAY_ALERT(A, B)
 #ifdef WIN32
 void DISPLAY_BYTES(SSL *ssl, const char *format,/* win32 has no variadic macros */
--- a/ssl/tls1_clnt.c
+++ b/ssl/tls1_clnt.c
@ -305,7 +305,7 @@ static int send_client_key_xchg(SSL *ssl)
    premaster_secret[0] = 0x03; /* encode the version number */
    premaster_secret[1] = 0x01;
    get_random(SSL_SECRET_SIZE-2, &premaster_secret[2]);
-    DISPLAY_RSA(ssl, "send_client_key_xchg", ssl->x509_ctx->rsa_ctx);
+    DISPLAY_RSA(ssl, ssl->x509_ctx->rsa_ctx);
    /* rsa_ctx->bi_ctx is not thread-safe */
    SSL_CTX_LOCK(ssl->ssl_ctx->mutex);
@ -351,7 +351,7 @@ static int send_cert_verify(SSL *ssl)
    RSA_CTX *rsa_ctx = ssl->ssl_ctx->rsa_ctx;
    int n = 0, ret;
-    DISPLAY_RSA(ssl, "send_cert_verify", rsa_ctx);
+    DISPLAY_RSA(ssl, rsa_ctx);
    buf[0] = HS_CERT_VERIFY;
    buf[1] = 0;
--- a/ssl/tls1_svr.c
+++ b/ssl/tls1_svr.c
@ -378,7 +378,7 @@ static int process_client_key_xchg(SSL *ssl)
    int offset = 4;
    int ret = SSL_OK;
-    DISPLAY_RSA(ssl, "process_client_key_xchg", rsa_ctx);
+    DISPLAY_RSA(ssl, rsa_ctx);
    /* is there an extra size field? */
    if ((secret_length - 2) == rsa_ctx->num_octets)
@ -444,7 +444,7 @@ static int process_cert_verify(SSL *ssl)
    PARANOIA_CHECK(pkt_size, x509_ctx->rsa_ctx->num_octets+6);
-    DISPLAY_RSA(ssl, "process_cert_verify", x509_ctx->rsa_ctx);
+    DISPLAY_RSA(ssl, x509_ctx->rsa_ctx);
    /* rsa_ctx->bi_ctx is not thread-safe */
    SSL_CTX_LOCK(ssl->ssl_ctx->mutex);
--- a/ssl/x509.c
+++ b/ssl/x509.c
@ -264,7 +264,7 @@ int x509_verify(const CA_CERT_CTX *ca_cert_ctx, const X509_CTX *cert)
    bigint *cert_sig;
    X509_CTX *next_cert = NULL;
    BI_CTX *ctx;
-    bigint *mod, *expn;
+    bigint *mod = NULL, *expn = NULL;
    struct timeval tv;
    int match_ca_cert = 0;
    uint8_t is_self_signed = 0;
@ -319,14 +319,6 @@ int x509_verify(const CA_CERT_CTX *ca_cert_ctx, const X509_CTX *cert)
        goto end_verify;
    }
    /* check the chain integrity */
    if (next_cert && !match_ca_cert &&
               asn1_compare_dn(cert->ca_cert_dn, next_cert->cert_dn) == 0)
    {
        ret = X509_VFY_ERROR_INVALID_CHAIN;
        goto end_verify;
    }
    ctx = cert->rsa_ctx->bi_ctx;
    /* check for self-signing */
@ -336,20 +328,31 @@ int x509_verify(const CA_CERT_CTX *ca_cert_ctx, const X509_CTX *cert)
        mod = cert->rsa_ctx->m;
        expn = cert->rsa_ctx->e;
    }
-    else
+    else if (next_cert != NULL)
    {
        mod = next_cert->rsa_ctx->m;
        expn = next_cert->rsa_ctx->e;
        /* check the chain integrity */
        if (asn1_compare_dn(cert->ca_cert_dn, next_cert->cert_dn) != 0)
        {
            ret = X509_VFY_ERROR_INVALID_CHAIN;
            goto end_verify;
        }
    }
    /* check the signature */
    if (mod != NULL)
    {
        cert_sig = sig_verify(ctx, cert->signature, cert->sig_len, 
                bi_clone(ctx, mod), bi_clone(ctx, expn));
        if (cert_sig && cert->digest)
        {
            if (bi_compare(cert_sig, cert->digest))
            {
                ret = X509_VFY_ERROR_BAD_SIGNATURE;
            }
            bi_free(ctx, cert_sig);
@ -361,6 +364,7 @@ int x509_verify(const CA_CERT_CTX *ca_cert_ctx, const X509_CTX *cert)
            ret = X509_VFY_ERROR_BAD_SIGNATURE;
            goto end_verify;
        }
    }
    if (is_self_signed)
    {
--- a/www/index.html
+++ b/www/index.html